TL;DR
A project management tool we used got breached. Three team members had reused their work email passwords there, which led to credential stuffing attempts across our services. One account was successfully compromised before we caught it. We implemented mandatory password managers and 2FA, and learned painful lessons about password hygiene.
The breach notification email seemed like routine spam at first. "Your data may have been compromised in a recent security incident." We'd all gotten hundreds of these. This one was different.
The Chain Reaction
The breached service was a project management tool we'd used briefly two years ago. Most of the team had forgotten about it. But the email/password combinations were now in a database being sold on the dark web.
"I got an alert from Google that someone in Vietnam had tried to log into my account. Then our Slack showed a login from an unfamiliar IP. Then AWS sent a suspicious activity warning. It was all connected."
Three team members had committed the cardinal sin: using the same password for the breached service and their work accounts. The attackers were running automated credential stuffing attacks across popular services.
What Got Compromised
One team member's GitHub account was accessed before we realized what was happening. The attacker had:
- Read access to private repositories
- Viewed some environment variable configurations
- Potentially cloned repository contents
Fortunately, our actual secrets were in a separate vault, not in the repos. But it was too close for comfort.
What Enabled the Attack
- Password reuse across personal and work accounts
- No mandatory 2FA policy for the team
- Using personal emails for some work services
- No monitoring for suspicious login attempts
- Abandoned accounts on forgotten services
The Response
Once we understood the scope, we moved fast:
- Immediate password resets: All team members reset passwords on all work services
- Session revocation: Logged out all sessions everywhere
- 2FA enforcement: Mandatory 2FA on all work accounts within 24 hours
- Audit logs review: Checked all services for unauthorized access
- API key rotation: Rotated all keys that might have been visible in repos
The New Policy
We implemented strict new requirements:
Team Security Requirements:
1. Password manager required (1Password Teams)
2. Unique password for every service
3. 2FA mandatory on all work accounts
4. Hardware keys (YubiKey) for critical services
5. Work email only for work services
6. Regular HaveIBeenPwned checks
7. Quarterly access review and cleanup
We also set up alerts for breach notifications using services that monitor for company email addresses appearing in new breaches.
- Password reuse is a ticking time bomb - every service you sign up for is a potential breach vector
- Mandate password managers for teams - makes unique passwords practical
- 2FA should be non-negotiable for work accounts
- Monitor for team credentials in breach databases
- Audit and delete accounts on services you no longer use
- Use work emails only for work services
Checking If You're Affected
Everyone should regularly check if their credentials have been exposed:
- HaveIBeenPwned.com: Check if your email appears in known breaches
- Password manager breach monitoring: 1Password, Bitwarden, and others offer this
- Google/Firefox password checkup: Both browsers can check saved passwords against breaches
If you find your credentials in a breach, change that password everywhere you've used it. Better yet, use a password manager so you never reuse passwords again.
How do credential stuffing attacks work?
Attackers take email/password pairs from one breach and automatically try them on many other services (Gmail, GitHub, AWS, etc.). Since many people reuse passwords, a surprising percentage of attempts succeed.
::
Is a password manager really necessary?
Yes. Humans can't remember unique, strong passwords for the dozens of services we use. Password managers make this practical and often catch when you try to reuse passwords or log into a phishing site.
What type of 2FA is most secure?
From most to least secure: hardware keys (YubiKey) > authenticator apps (Authy, Google Authenticator) > SMS codes. SMS is vulnerable to SIM swapping attacks, so avoid it for critical accounts if possible.
::
Scan your vibe coded projects for security vulnerabilities and authentication issues.
Check Your Vibe Now